Stakeholders, are you encouraging your asset owners and security professionals to work coherently together? Would you approve a physical penetration test as a risk analysis tool?
Why Security Professionals Should use a Physical Penetration Test as a Tool when Creating an ESRM Program
Organisations often fail to appreciate and understand the value that a strategic relationship between their security professionals and stakeholders can bring to the organisation. Asset owners don’t traditionally understand security, they envisage it as the guards who stop known threat actors from walking through the door. Many heads of security feel undervalued, they know where the business weaknesses are and have tried to address them multiple times, only to be knocked back by budget constraints and a lack of understanding.
However, the modern-day security professional is highly skilled and experienced and can help improve the overall business mission by incorporating security practice into everyday business activity.
Enterprise Security Risk Management
In 2019 ASIS, the world’s largest membership organization for security professionals launched the Enterprise Security Risk Management Guideline (ASIS ESRM-2019) defined as “a strategic approach to security management that aligns an organization’s security practices to its overall strategy using globally established and accepted risk management principles”. Its foundation is set on the principle that security risk management is a partnership between the asset or business owner and the organisation’s security professionals.
As a security professional, encouraging your business to adopt an ERSM program will holistically benefit the entire organisation and will hopefully be reflected upon you. This can be partially achieved by engaging a professional physical penetration testing company that understands ERSM to conduct a physical penetration test (PPT) to provide an effective risk analysis of your assets. A well-presented PPT debrief can provide stakeholders with a very realistic and comprehensive report of exactly what vulnerabilities look like. For instance, a presentation to a C-suite showing multiple people literally jumping over speed gates in view of staff members who don’t react has a huge impact when shown visually.
What is a Physical Penetration Test?
A physical penetration test is effectively ethical burglary. Experienced PPT specialists will use a range of physical entry and social engineering techniques to try and access specific areas of your buildings. The aim is to test the risk to assets by identifying vulnerabilities in procedures, practices, equipment and infrastructure.
The stages of a PPT will consist of the following:
To use a PPT to communicate with the C-suite, it is vital to identify the organization’s assets and to convey these to the PPT testing organization at the client consultation stage. The PPT will then be created to test the risks that the assets are subject to. These should include both tangible and intangible assets. The consultation stage will provide you with the opportunity to tell the testing team where you feel there are vulnerabilities which should be included in the testing scope and for them to use their experience to suggest ones of which you may not be aware.
A PPT can be subjective, the alignment of security and staff conditions can vary greatly throughout the business day. It is important to allow testers a realistic period of testing to identify the routine and procedures of security, staff, executives, deliveries, and shift changes to gain a comprehensive understanding of where the human and physical vulnerabilities lie. If the findings are going to be used to create a presentation, the testing team will also need the capability and manpower to capture strong high-quality imagery to portray the methodology and findings of the test.
How to identify a professional PPT service
There are many security companies that will offer PPT, however, PPT is not yet regulated, and it is important to choose an organisation that is worthy of your engagement.
Establish the background and experience of the organisation, whether they are sub-contracting the project and the background of the testers that will be used. Whilst many testers will have former government and military experience, they must also have enough commercial security knowledge to understand the principles of ERSM. A varied demographic of testers should be used, women are notoriously more successful at infiltration and social engineering than men as they are often viewed as less suspicious. Don’t be afraid to ask for biographies of testers but remember not to share the information with anyone in your organisation or it could have a negative impact on the test. A testing team should also be able to provide proof of their insurance. Your testing company should understand risk assessment and should have a risk assessment methodology in place to measure the risk found.
How the findings can be used
Once the PPT is completed you will be provided with a detailed report, which will include suggested recommendations to mitigate the identified risks. This can be used to create a presentation delivering the findings to the relevant stakeholders and will form the foundation which will enable you to move to the next stage of ERSM creation, mitigating and prioritising your risks. It may be necessary to improve your organisation’s security culture before attempting to gain buy-in for ERSM program development. Security culture change is a slow process involving a lengthy period of continuous improvement to gain maturity but a PPT will certainly provide you with the ammunition to start the conversation.
To find out more about Physical Penetration Testing or our other corporate security and counter-espionage services, contact us:
020 3633 0672
ESRM positions the security professional as a trusted advisor to help guide asset owners through the process of making security risk management decisions which are targeted to protect their critical assets whilst following the overlying principle is that this is a strategic collaboration which works security into business decisions enables the security steps to assist the business with its overall mission.
To accomplish this, security professionals need to understand the business aims, mission statement, core values, ethos and culture.The security profesiaon needs to align their strategy with that of the business so they can work in lock step.
Change does not hapopen overnihhy, tehre is a grat desal of stakeholder engagement and onging staff security awareness training, reevaluation and analysis to ensure that the program is maturing properly
Impact analysys
Root cause analysis – A technique used to identify the conditions that initiate the occurrence of an undesired activity or state.
